hostname esr-21-2

ip firewall sessions counters
object-group service ssh
  port-range 22
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service ntp
  port-range 123
exit
object-group service OBJ_SVC_VPN
  port-range 500
  port-range 4500
exit
object-group service OBJ_SVC_NAT_SSH
  port-range 777
exit

object-group network OBJ_NET_STATIC_IP
  ip address-range 12.12.12.22
exit
object-group network OBJ_SERVER_IP
  ip address-range 192.168.102.1
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

username admin
  password encrypted $6$jK4EbZO6Wgf8SR4V$Qk9bbeYu.Dnz0YCTmFvSrIDfH3iXU6pgbI/boyXTVlgnc2LFvOFHhg9pA798kKV1H0vypPNMwofM5JZXLqrXc1
exit
line aux 1
  transport telnet port 2001
exit


system jumbo-frames
system config-confirm timeout 120

boot host auto-config
vlan 2
exit

no spanning-tree

security zone LAN
exit
security zone WAN
exit
security zone VPN
  description "FROM_DMVPN"
exit

ip bfd multiplier 3
route-map BGP_OUT
  rule 1
  exit
exit
router bgp 65002
  router-id 2.2.2.2
  neighbor 1.1.1.1
    remote-as 65001
    ebgp-multihop 2
    update-source 2.2.2.2
    address-family ipv4 unicast
      route-map BGP_OUT out
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 192.168.102.0/24
  exit
  enable
exit

router ospf 555
  router-id 2.2.2.2
  area 0.0.0.0
    network 10.255.254.0/24
    network 2.2.2.2/32
    enable
  exit
  enable
exit

interface port-channel 1
exit
interface port-channel 1.300
  security-zone LAN
  ip address 10.14.112.249/24
exit
interface port-channel 1.3
  security-zone LAN
  ip address 192.168.102.254/24
exit
interface port-channel 1.102
exit
interface gigabitethernet 1/0/1
  description "WAN"
  security-zone WAN
  ip address 11.11.11.22/24
exit
interface gigabitethernet 1/0/2
  description "WAN2"
  mtu 9500
  security-zone WAN
  ip address 12.12.12.22/24
exit
interface gigabitethernet 1/0/2.555
  description "p2p_mpls"
  mtu 9500
  security-zone VPN
  ip address 172.30.30.2/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf
exit
interface gigabitethernet 1/0/3
  mode switchport
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface gigabitethernet 1/0/5
  mode switchport
exit
interface gigabitethernet 1/0/6
  mode switchport
exit
interface gigabitethernet 1/0/7
  mode switchport
exit
interface gigabitethernet 1/0/8
  mode switchport
  channel-group 1 mode auto
exit
interface gigabitethernet 1/0/9
  mode switchport
exit
interface gigabitethernet 1/0/10
  mode switchport
exit
interface gigabitethernet 1/0/11
  mode switchport
exit
interface gigabitethernet 1/0/12
  mode switchport
exit
interface loopback 1
  ip address 2.2.2.2/32
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf
exit
tunnel gre 101
  mtu 1400
  multipoint
  security-zone VPN
  local address 11.11.11.22
  ip address 10.255.255.2/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf priority 0
  ip ospf
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp map 10.255.255.1 11.11.11.11
  ip nhrp nhs 10.255.255.1/24
  ip nhrp ipsec IPSEC_VPN_HUB static
  ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit
tunnel gre 102
  mtu 1400
  multipoint
  security-zone VPN
  local address 12.12.12.22
  ip address 10.255.254.2/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf priority 0
  ip ospf network point-to-point
  ip ospf
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp map 10.255.254.1 12.12.12.11
  ip nhrp nhs 10.255.254.1/32
  ip nhrp ipsec IPSEC_VPN_HUB_102 static
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

mpls
  ldp
    router-id 2.2.2.2
    address-family ipv4
      interface gigabitethernet 1/0/2.555
      exit
    exit
  exit
  l2vpn
    pw-class L2_VPN
      description "TEST"
    exit
    p2p P2P_L2_VPN
      interface port-channel 1.102
      pw 102 1.1.1.1
        pw-class L2_VPN
        enable
      exit
      enable
    exit
  exit
  forwarding interface gigabitethernet 1/0/2.555
exit
security zone-pair VPN self
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit
security zone-pair WAN self
  rule 1
    description "GRE"
    action permit
    match protocol gre
    enable
  exit
  rule 2
    description "ISAKMP"
    action permit
    match protocol udp
    match destination-port OBJ_SVC_VPN
    enable
  exit
  rule 3
    description "ESP"
    action permit
    match protocol esp
    enable
  exit
  rule 10
    description "ICMP"
    action permit
    match protocol icmp
    enable
  exit
  rule 20
    description "AH"
    action permit
    match protocol ah
    enable
  exit
  rule 100
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN VPN
  description "LAN_to_VPN"
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair VPN LAN
  description "VPN_to_LAN"
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair WAN LAN
  rule 10
    description "DNAT_777"
    action permit
    match protocol tcp
    match destination-address OBJ_SERVER_IP
    match destination-nat
    enable
  exit
exit
security zone-pair LAN WAN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit

security ike proposal IKE_PROP_1
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POL_1
  pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
  proposal IKE_PROP_1
exit

security ike gateway IKE_GW_HUB
  ike-policy IKE_POL_1
  local address 11.11.11.22
  local network 11.11.11.22/32 protocol gre 
  remote address 11.11.11.11
  remote network 11.11.11.11/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_HUB_102
  ike-policy IKE_POL_1
  local address 12.12.12.22
  local network 12.12.12.22/32 protocol gre 
  remote address 12.12.12.11
  remote network 12.12.12.11/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_SPOKE
  ike-policy IKE_POL_1
  local address 11.11.11.22
  local network 11.11.11.22/32 protocol gre 
  remote address any
  remote network any
  mode policy-based
exit

security ipsec proposal IPSEC_PROP_1
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POL_HUB_1
  proposal IPSEC_PROP_1
exit

security ipsec vpn IPSEC_VPN_HUB
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_HUB
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security ipsec vpn IPSEC_VPN_HUB_102
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_HUB_102
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security ipsec vpn IPSEC_VPN_SPOKE
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_SPOKE
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security passwords default-expired
nat destination
  pool SERVER_IP
    ip address 192.168.102.1
    ip port 22
  exit
  ruleset DNAT
    from zone WAN
    rule 1
      match protocol tcp
      match destination-address OBJ_NET_STATIC_IP
      match destination-port OBJ_SVC_NAT_SSH
      action destination-nat pool SERVER_IP
      enable
    exit
  exit
exit

ip dhcp-server pool lan-pool
  network 192.168.1.0/24
  address-range 192.168.1.2-192.168.1.254
  default-router 192.168.1.1
exit

ip route 0.0.0.0/0 10.14.112.254

ip ssh server

lldp enable

clock timezone gmt +4

ntp enable
ntp server 10.1.8.2
exit
ntp server 10.1.8.1
exit